Skip to content

L
linux
Commit b113958b authored by Steve French's avatar Steve French
Browse files
Options

Merge bk://linux.bkbits.net/linux-2.5 

into hostme.bitkeeper.com:/repos/c/cifs/linux-2.5cifs
parents 1db72c60 05e9f979
Show whitespace changes
Inline Side-by-side
Showing with 100 additions and 85 deletions
fs/cifs/cifs_debug.c
View file @ b113958b
......@@ -89,8 +89,8 @@ cifs_debug_data_read(char *buf, char **beginBuffer, off_t offset,
ses->serverOS, ses->serverNOS, ses->capabilities);
buf += length;
if(ses->server)
buf += sprintf(buf, "\tLocal Users To Same Server: %d ",
atomic_read(&ses->server->socketUseCount));
buf += sprintf(buf, "\tLocal Users To Same Server: %d SecMode: 0x%x",
atomic_read(&ses->server->socketUseCount),ses->server->secMode);
}
read_unlock(&GlobalSMBSeslock);
sprintf(buf, "\n");
......@@ -590,6 +590,8 @@ packet_signing_enabled_write(struct file *file, const char *buffer,
sign_CIFS_PDUs = 0;
else if (c == '1' || c == 'y' || c == 'Y')
sign_CIFS_PDUs = 1;
else if (c == '2')
sign_CIFS_PDUs = 2;
return count;
}
......
fs/cifs/cifsencrypt.c
View file @ b113958b
......@@ -24,6 +24,7 @@
#include "cifsglob.h"
#include "cifs_debug.h"
#include "md5.h"
#include "cifs_unicode.h"
/* Calculate and return the CIFS signature based on the mac key and the smb pdu */
/* the 16 byte signature must be allocated by the caller */
......@@ -133,8 +134,58 @@ int cifs_calculate_mac_key(char * key, const char * rn, const char * password)
if ((key == NULL) || (rn == NULL) || (password == NULL))
return -EINVAL;
E_md4hash(password, temp_key); /* BB may have to do another md4 of it */
E_md4hash(password, temp_key);
mdfour(key,temp_key,16);
memcpy(key+16,rn, CIFS_SESSION_KEY_SIZE);
return 0;
}
int CalcNTLMv2_partial_mac_key(struct cifsSesInfo * ses, struct nls_table * nls_info)
{
char temp_key[16];
struct HMACMD5Context ctx;
char * ucase_buf;
wchar_t * unicode_buf;
unsigned int i,user_len,dom_len;
if(ses)
return -EINVAL;
E_md4hash(ses->password_with_pad, temp_key);
hmac_md5_init_limK_to_64(temp_key, 16, &ctx);
user_len = strlen(ses->userName);
if(user_len > MAX_USERNAME_SIZE)
return -EINVAL;
dom_len = strlen(ses->domainName);
if(dom_len > MAX_USERNAME_SIZE)
return -EINVAL;
ucase_buf = kmalloc((MAX_USERNAME_SIZE+1), GFP_KERNEL);
unicode_buf = kmalloc((MAX_USERNAME_SIZE+1)*2, GFP_KERNEL);
for(i=0;i<user_len;i++)
ucase_buf[i] = nls_info->charset2upper[(int)ses->userName[i]];
ucase_buf[i] = 0;
user_len = cifs_strtoUCS(unicode_buf, ucase_buf, MAX_USERNAME_SIZE*2, nls_info);
/* BB inc user_len + 2 or 2 for trailing nulls? */
/* Add call to hmac md5 user BB */
for(i=0;i<dom_len;i++)
ucase_buf[i] = nls_info->charset2upper[(int)ses->domainName[i]];
ucase_buf[i] = 0;
dom_len = cifs_strtoUCS(unicode_buf, ucase_buf, MAX_USERNAME_SIZE*2, nls_info);
/* BB inc dom_len + 1 or 2 for trailing nulls? */
/* Add call to hmac md5 domain */
/* BB add hmac md5 final BB */
kfree(ucase_buf);
kfree(unicode_buf);
return 0;
}
fs/cifs/cifsproto.h
View file @ b113958b
......@@ -88,8 +88,7 @@ extern int CIFSNTLMSSPNegotiateSessSetup(unsigned int xid,
const struct nls_table *);
extern int CIFSNTLMSSPAuthSessSetup(unsigned int xid,
struct cifsSesInfo *ses, char *ntlm_session_key,
char *lanman_session_key,int ntlmv2_flag,
const struct nls_table *);
int ntlmv2_flag, const struct nls_table *);
extern int CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
const char *tree, struct cifsTconInfo *tcon,
......@@ -229,6 +228,7 @@ extern int cifs_sign_smb(struct smb_hdr *, struct cifsSesInfo *,__u32 *);
extern int cifs_verify_signature(const struct smb_hdr *, const char * mac_key,
__u32 expected_sequence_number);
extern int cifs_calculate_mac_key(char * key,const char * rn,const char * pass);
extern void CalcNTLMv2_partial_mac_key(struct cifsSesInfo *, struct nls_table *);
/* BB routines below not implemented yet BB */
......
fs/cifs/connect.c
View file @ b113958b
......@@ -634,7 +634,6 @@ get_dfs_path(int xid, struct cifsSesInfo *pSesInfo,
int setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo, struct nls_table * nls_info)
{
int rc = 0;
char session_key[CIFS_SESSION_KEY_SIZE];
char ntlm_session_key[CIFS_SESSION_KEY_SIZE];
int ntlmv2_flag = FALSE;
......@@ -666,26 +665,28 @@ int setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo, struct nls_tab
nls_info);
if (!rc) {
if(ntlmv2_flag) {
cFYI(1,("Able to use the more secure NTLM version 2 password hash"));
/* SMBNTv2encrypt( ...); */ /* BB fix this up -
and note that Samba client equivalent looks wrong */
} else
SMBNTencrypt(pSesInfo->password_with_pad,
pSesInfo->server->cryptKey,ntlm_session_key);
cFYI(1,("Can use more secure NTLM version 2 password hash"));
/* SMBNTv2encrypt( ...); */ /* BB fix this up */
CalcNTLMv2_partial_mac_key(pSesInfo,
nls_info);
/* cifs_calculate_ntlmv2_mac_key(pSesInfo->mac_signing_key, ntlm_session_key, */
/* BB Put dummy sig in SessSetup PDU? */
/* BB add call to save MAC key here BB */
} else {
SMBNTencrypt(pSesInfo->password_with_pad,
pSesInfo->server->cryptKey,
ntlm_session_key);
cifs_calculate_mac_key(pSesInfo->mac_signing_key,
ntlm_session_key,
pSesInfo->password_with_pad);
}
/* for better security the weaker lanman hash not sent
in AuthSessSetup so why bother calculating it */
/* toUpper(nls_info,
password_with_pad);
SMBencrypt(password_with_pad,
pSesInfo->server->cryptKey, session_key); */
in AuthSessSetup so we no longer calculate it */
rc = CIFSNTLMSSPAuthSessSetup(xid,
pSesInfo,
ntlm_session_key,
session_key,
ntlmv2_flag,
nls_info);
}
......@@ -694,7 +695,8 @@ int setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo, struct nls_tab
pSesInfo->server->cryptKey,
ntlm_session_key);
cifs_calculate_mac_key(pSesInfo->mac_signing_key, ntlm_session_key, pSesInfo->password_with_pad);
cifs_calculate_mac_key(pSesInfo->mac_signing_key,
ntlm_session_key, pSesInfo->password_with_pad);
rc = CIFSSessSetup(xid, pSesInfo,
ntlm_session_key, nls_info);
}
......@@ -1297,7 +1299,7 @@ CIFSSpnegoSessSetup(unsigned int xid, struct cifsSesInfo *ses,
int bytes_returned = 0;
int len;
cFYI(1, ("In v2 sesssetup "));
cFYI(1, ("In spnego sesssetup "));
smb_buffer = buf_get();
if (smb_buffer == 0) {
......@@ -1605,7 +1607,9 @@ CIFSNTLMSSPNegotiateSessSetup(unsigned int xid,
SecurityBlob->NegotiateFlags =
NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_OEM |
NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_NTLM | 0x80000000 |
NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_128;
/* NTLMSSP_NEGOTIATE_ALWAYS_SIGN | */ NTLMSSP_NEGOTIATE_128;
if(sign_CIFS_PDUs)
SecurityBlob->NegotiateFlags |= NTLMSSP_NEGOTIATE_SIGN;
if(ntlmv2_support)
SecurityBlob->NegotiateFlags |= NTLMSSP_NEGOTIATE_NTLMV2;
/* setup pointers to domain name and workstation name */
......@@ -1725,6 +1729,17 @@ CIFSNTLMSSPNegotiateSessSetup(unsigned int xid,
CIFS_CRYPTO_KEY_SIZE);
if(SecurityBlob2->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLMV2)
*pNTLMv2_flag = TRUE;
if((SecurityBlob2->NegotiateFlags &
NTLMSSP_NEGOTIATE_ALWAYS_SIGN)
|| (sign_CIFS_PDUs > 1))
ses->server->secMode |=
SECMODE_SIGN_REQUIRED;
if ((SecurityBlob2->NegotiateFlags &
NTLMSSP_NEGOTIATE_SIGN) && (sign_CIFS_PDUs))
ses->server->secMode |=
SECMODE_SIGN_ENABLED;
if (smb_buffer->Flags2 &= SMBFLG2_UNICODE) {
if ((long) (bcc_ptr) % 2) {
remaining_words =
......@@ -1868,7 +1883,7 @@ CIFSNTLMSSPNegotiateSessSetup(unsigned int xid,
int
CIFSNTLMSSPAuthSessSetup(unsigned int xid, struct cifsSesInfo *ses,
char *ntlm_session_key, char *lanman_session_key, int ntlmv2_flag,
char *ntlm_session_key, int ntlmv2_flag,
const struct nls_table *nls_codepage)
{
struct smb_hdr *smb_buffer;
......@@ -1934,7 +1949,9 @@ CIFSNTLMSSPAuthSessSetup(unsigned int xid, struct cifsSesInfo *ses,
SecurityBlob->NegotiateFlags =
NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_REQUEST_TARGET |
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_TARGET_INFO |
0x80000000 | NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_128;
0x80000000 | NTLMSSP_NEGOTIATE_128;
if(sign_CIFS_PDUs)
SecurityBlob->NegotiateFlags |= /* NTLMSSP_NEGOTIATE_ALWAYS_SIGN |*/ NTLMSSP_NEGOTIATE_SIGN;
if(ntlmv2_flag)
SecurityBlob->NegotiateFlags |= NTLMSSP_NEGOTIATE_NTLMV2;
......
fs/cifs/smbencrypt.c
View file @ b113958b
......@@ -470,58 +470,3 @@ int SMBNTLMv2encrypt(const char *user, const char *domain, const char *password,
return TRUE;
}
/***********************************************************
SMB signing - setup the MAC key.
************************************************************/
void
cli_calculate_mac_key(__u8 * mac_key, int *pmac_key_len,
const char *ntpasswd, const unsigned char resp[24])
{
/* Get first 16 bytes. */
E_md4hash(ntpasswd, mac_key);
memcpy(mac_key + 16, resp, 24);
*pmac_key_len = 40;
/* Reset the sequence number in case we had a previous (aborted) attempt */
/* cli->sign_info.send_seq_num = 0; */
}
/***********************************************************
SMB signing - calculate a MAC to send.
************************************************************/
void
cli_caclulate_sign_mac(struct smb_hdr *outbuf, __u8 * mac_key,
int mac_key_len, __u32 * send_seq_num,
__u32 * reply_seq_num)
{
unsigned char calc_md5_mac[16];
struct MD5Context md5_ctx;
/* if (!cli->sign_info.use_smb_signing) {
return;
} */
/*
* Firstly put the sequence number into the first 4 bytes.
* and zero out the next 4 bytes.
*/
/*
SIVAL(outbuf, smb_ss_field, *send_seq_num);
SIVAL(outbuf, smb_ss_field + 4, 0); */
/* Calculate the 16 byte MAC and place first 8 bytes into the field. */
MD5Init(&md5_ctx);
MD5Update(&md5_ctx, mac_key, mac_key_len);
MD5Update(&md5_ctx, outbuf->Protocol,
be32_to_cpu(outbuf->smb_buf_length));
MD5Final(calc_md5_mac, &md5_ctx);
memcpy(outbuf->Signature.SecuritySignature, calc_md5_mac, 8);
(*send_seq_num)++;
*reply_seq_num = *send_seq_num;
(*send_seq_num)++;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7